SRX

last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  how to turn down an ipsece vpn and recover it in a easy way

    Posted 02-08-2015 11:16
    i have some ipsec vpn on the SRX 1400, for some reason i want to shutdown those vpn ,so that the FW don't try to establish ipsec vpn with the peer ,and when i need the them ,i can recover them easily ,is there anyway to do that


  • 2.  RE: how to turn down an ipsece vpn and recover it in a easy way

     
    Posted 02-08-2015 14:50

    'deactivate security ike gateway xxxxxxxx' 



  • 3.  RE: how to turn down an ipsece vpn and recover it in a easy way

    Posted 02-08-2015 23:59

    thank you very much .so i use activate security ike gateway xxxxxxxx to acitvate it again right ?

    @evt wrote:

    'deactivate security ike gateway xxxxxxxx' 

     



  • 4.  RE: how to turn down an ipsece vpn and recover it in a easy way

    Posted 02-09-2015 01:33

    when i comit ,it say

     

    Referenced IKE gateway must be defined under [edit security ike gateway]
    error: configuration check-out failed: (statements constraint check failed)



  • 5.  RE: how to turn down an ipsece vpn and recover it in a easy way

     
    Posted 02-09-2015 02:35

    Sorry, my mistake - I forgot that the gateway is also referenced in the ipsec portion of the config, which is also referenced in the policies if you are using policy-based VPN.  You also have to deactivate all those specific areas of the configuration, too. Unfortunately, there is no real "easy" way to disable the VPN, AFAIK.



  • 6.  RE: how to turn down an ipsece vpn and recover it in a easy way

    Posted 02-09-2015 05:33

    but , i use route-based VPN



  • 7.  RE: how to turn down an ipsece vpn and recover it in a easy way
    Best Answer

     
    Posted 02-09-2015 05:45

    Okay, but it's still referenced in the ipsec configuration.  In configuration mode, you can do a 'show | match <gateway_name> | display set' and see all the configuration segments that have referenced your IKE gateway and either deactivate or delete them (temporarily), if you really want to stop the session from trying to establish.  I'm open to hearing other ways, if one exists. Honestly, it's probably more trouble than it's worth, but that's a judgment call on your part.